Just a few years ago, sending encrypted messages was a challenge. Just to get started, you had to spend hours following along with jargon-filled tutorials, or be lucky enough to find a nerd friend to teach you. The few that survived this process quickly hit a second barrier: They could only encrypt with others who had already jumped through the same hoops. So even after someone finally set up encrypted email, they couldn’t use it with most of the people they wanted to send encrypted emails to.
The situation is much better today. A number of popular apps have come along that make encryption as easy as texting. Among the most secure is Signal, open-source software for iOS and Android that has caught on among activists, journalists, and others who do sensitive work. And probably the most popular is WhatsApp, a Facebook-owned platform with encryption setup derived from Signal. For me, the spread of encrypted chat apps means that, with very few exceptions, all of my text messages — with friends, family, or for work — are end-to-end encrypted, and no one even has to understand what a “public key” is.
But there is a major issue with both Signal and WhatsApp: Your account is tied to your phone number.
This makes these apps really easy to use, since there are no usernames or passwords to deal with. It also makes it easy to discover other app users; if someone is a contact in your phone and has the app installed, you can send them encrypted texts with no further effort.
But it also means that if you want people to be able to send you messages securely, you need to hand out your phone number. This puts people who interact with the public in an awkward bind: Is the ability for strangers to contact you securely worth publishing your private phone number?
In this article I explain how to create a second Signal number that is safe to publish on your Twitter bio and business cards, so strangers have an easy way to contact you securely, while your primary phone number remains private. I explain how to obtain a second phone number, how to register it with the Signal server, and how to configure it to use Signal Desktop — even if you’re already using Signal Desktop with your private phone number. I will focus on Signal rather than WhatsApp for reasons I’ll explain further down (basically, WhatsApp appears to block non-cellular phone numbers that make all this possible with Signal).
Why Wouldn’t You Want to Publish Your Phone Number?
When you give out your phone number, you risk opening yourself up to abuse. As freedom of expression activist Jillian York wrote on her personal blog, “As a woman, handing out my phone number to a stranger creates a moderate risk: What if he calls me in the middle of the night? What if he harasses me over SMS? What if I have to change my number to get away from him?”
If you’re a public figure, and especially if you’re a women or person of color, you’re probably used to sexist or racist jerks yelling slurs and threats at you on Twitter, Facebook, and in the comments section under the articles you write. Publishing your private phone number could make this problem worse and could make these people harder to mute.
It could also open up your online accounts to attack. Last year, someone hacked racial justice activist DeRay Mckesson’s Twitter and email accounts by taking over his phone number. The hacker called Verizon and, impersonating Mckesson, asked to change the SIM card associated with his phone number to a new one that they controlled, so they could receive SMS messages sent to his phone number.
By calling @verizon and successfully changing my phone's SIM, the hacker bypassed two-factor verification which I have on all accounts.
— deray (@deray) June 10, 2016
Having a unique public number just for Signal could mitigate this sort of attack; it’s harder for a hacker to hijack the number that’s tied to your Twitter and email accounts if they don’t know it in the first place.
(If an attacker takes control of your phone number, like they did with Mckesson, they could also take over your Signal account. If someone did this to your friend, you’d see a “safety number changed” warning in Signal — the same message you see when a friend gets a new phone. If you ignore this warning and text them anyway, you’ll actually be texting the attacker. You can verify safety numbers to confirm that your Signal app is encrypting messages to your friend’s phone, and not to some attacker’s phone.)
How to Obtain a Second Phone Number
When you open the Signal app for the first time and type in your phone number, here’s what happens:
- The Signal service tries sending an SMS message with a verification code to your phone number. If you can receive that message or the app can receive it directly, and the message contains the correct code, then the app successfully registers the account.
- If you can’t receive the verification message, Signal gives you the option to try a voice call instead. In this case, the Signal service tries calling your phone number. When you answer, a robot voice tells you a verification code, and you can type it into the app. If you type the correct code, the app registers the account.
The initial step of verifying a phone number is the only step in which the phone network is involved. After this, Signal uses the internet for everything. Your phone number is only used as a way to identify your Signal account (basically, it’s your username), and your phone company doesn’t have access to any information about anything that goes on in Signal.
This means that, as long as you have access to a phone number where you can answer voice calls, like a landline or a VoIP number, you can use that phone number with Signal. (This isn’t true for all services. WhatsApp seems to only allow you to register using phone numbers distributed by cellphone carriers — but I’ve heard mixed reports, so it doesn’t hurt to try.)
In order to proceed, you need to obtain a second phone number that you’re OK with publishing. This can be:
- The desk phone at your office.
- A free Google Voice phone number, if you live in the United States (this is what I do).
- Any phone number from any online calling service, like Skype.
- A cheap pre-paid SIM card for a few dollars a month (and temporarily put it on your phone to register your second Signal number).
- Twilio, a cloud service that allows developers to write software that makes and receives phone calls and SMS messages. If following these instructions isn’t too daunting, you can purchase phone numbers for $1/month from Twilio to use for Signal. See this similar guide, written by Martin Shelton, for more thorough instructions on using Twilio for your second phone number.
It’s important to maintain control of this phone number. For example, you could use a disposable SMS service to register with Signal — there are many such services if you search for them — but those phone numbers can be used by anyone. Similarly, you should avoid using a public payphone’s number, or a SIM card on which you do not intend to renew service. If someone else can receive SMS messages or phone calls to this phone number, they can take your Signal account away from you.
If you have tips for other ways to obtain permanent phone numbers, post them in the comments.
Picking a Device for Your Second Signal Number
In order to register your second phone number with Signal, you’re going to need a dedicated device for it — or at least a dedicated user account on a device. The device doesn’t need to have any phone service, and it doesn’t even technically need to be a phone. Here are your options.
If you’re an Android user, you’re in luck. You likely have never used this feature, but Android supports multiple user accounts on a single device. Each user account has its own set of apps and app data. You can create a second user account on your device specifically for your second Signal number.
Open the Settings app, select Users, and select “Add user or profile” to add a new user. After creating a new user, log in to it and install the Signal app. Don’t forget to set up screen lock for the new user — otherwise, anyone with physical access to your phone will be able to easily access the Signal messages in your second user, even if your main user account is locked.
To switch between users on your phone, drag the notification bar down and tap on the user icon.
If you’re an iPhone user, and you’re already using Signal with your private phone number, setting up your public Signal account is a bit more complicated. Unfortunately, there’s no way to set up two separate Signal phone numbers on the same iPhone.
The simplest way to proceed is to find a separate iOS or Android device and use that for the second number. This device doesn’t need phone service or a SIM card. It could be an old iPhone or Android phone you don’t use anymore, or an iPad, iPod Touch, or Android tablet.
You can also elect to use your new public phone number only with Signal Desktop. Doing this involves removing your private Signal account from your iPhone, setting up the public account and Signal Desktop, and then restoring the private account, which will generate a warning to your contacts that your safety number has changed. It also significantly limits the ways you can use Signal, as I outline below.
For the truly geeky, it’s also possible to use your computer to register the second Signal number, but only go this route if you’re the type of computer nerd who enjoys troubleshooting tricky problems. You can use a command-line tool called signal-cli to register your phone number with Signal service, or you can install android-x86 inside a virtual machine and use that as a virtual Android device for Signal. If that seems like a bit much, you’re better off tracking down an old smartphone instead.
Registering Your New Number With Signal
Now that you have a second phone number and a device picked out, it’s time to register it with Signal. I’m using an Android device in the following photos, but the process in iOS is similar.
On your second Signal device (or the second user of your Android phone), open the Signal app for the first time. Type in the phone number you’ve obtained to use as your public Signal number (don’t type in your private phone number!), and register the phone number.
Register with Signal using the second phone number you obtained.
Wait two minutes for SMS verification to fail.
Verify with the Signal service using a voice call instead.
If all goes well, the verification process will succeed, and your new phone number will be registered with the Signal service.
And that’s it! This device can now receive messages to your second Signal phone number. You can tell everyone they can contact you using Signal with this phone number, and the text messages will end up going to this device.
But now you also have to deal with checking two separate devices for your messages (or two separate users on one Android device). To make things a bit more usable, you might want to set up Signal Desktop.
Setting up Signal Desktop
The desktop version of Signal is a Google Chrome app, which means that you install it inside of your browser (this will be changing soon, more on that below). You can read more about Signal Desktop here, including some security considerations on whether you should use the desktop version.
If you’d like to use Signal Desktop with just one of your phone numbers, this is simple. For example, maybe you’ll only use Signal on your phone for your personal number, but you’ll use Signal Desktop for your second, public Signal number. In this case, just install Signal Desktop from the Chrome Web Store, and follow the instructions to configure it using the Signal device of your choice.
If you’d like to use Signal Desktop with both phone numbers, you need to set up separate Chrome profiles (or “People”). Most Chrome users only have their default profile — this stores browser history, bookmarks, Chrome apps, and other settings. But it’s possible to create new profiles and easily switch between them. You can set up Signal Desktop in your default profile for your private phone number and create a second Chrome profile specifically for your second Signal number.
Signal developers are currently switching up how Signal Desktop works. Soon it will be a standalone app, no longer through Chrome. This means that you won’t be able to run two copies at the same time by creating two different Chrome profiles. But, for the time being, the following instructions still work fine.
First, let’s set up Signal Desktop for your personal phone number in your default Chrome profile (if you already use Signal Desktop, skip the next few paragraphs). Open Chrome and go here to install Signal Desktop. After it’s installed, a welcome screen will pop up explaining that you need to install Signal on your phone first, and showing you a QR code to scan from your phone, like this:
Follow the instructions using Signal on your personal cellphone to link it to this Signal Desktop.
You probably also want to make sure that this Signal Desktop is easy to open. If you’re using a Mac, right-click on the dock icon, select Options, and check “Keep in Dock.” If you’re using Windows, right-click on the taskbar icon and select “Pin to taskbar.”
Now it’s time to create a new Chrome profile for your second Signal phone number. Start by opening the Chrome menu (the icon in the top-right of your browser with three dots) and choose Settings. Under People at the top, click “Manage other people.”
In the bottom-right, click “Add person.” Come up with a name and an icon for this Chrome profile. In this screenshot, I’m calling my new person “Signal for strangers” and giving it a ninja avatar.
After clicking the save button, a whole new Chrome window opens with “Signal for strangers” in the top-right corner. (Note that you can click the name of your profile in the top-right to switch to other profiles.)
Like you did with your other profile, go here and install Signal Desktop. Again, a fresh new welcome window will pop up giving you instructions to get started, again with a QR code.
Follow the instructions, but this time, use your device for your second Signal number (or the second Android user, if you’re doing it all on one Android phone). When you’re done, you’ll have successfully linked your second Signal phone number to your second Signal Desktop!
You should make sure that this Signal Desktop is easy to open as well. If you’re using Mac, right-click on the second Signal dock icon, select Options, and check “Keep in Dock.” If you’re using Windows, right-click on the second Signal taskbar icon and select “Pin to taskbar.”
Now you should have two separate Signal Desktop icons, one for your private phone number and the other for the second phone number you just set up. You can also hold the mouse over the different Signal icons to tell them apart.
Finally, here’s a tip for running multiple Signal Desktops on the same computer. Within Signal Desktop, click the three dots menu icon and choose Settings. This allows you to choose between three different themes. Make sure that your two different Signal Desktop windows have different themes to make them easier to tell apart.
(For the few of you who run the Qubes operating system, this process is much simpler. Just install Signal Desktop in separate AppVMs for each phone number. This is what I do.)
Using Signal Desktop as Your Main Signal App
Now that your public Signal number is safe to publish, and encrypted texts go straight to your desktop, it might be tempting to only use the desktop app for this phone number. This is fine, but you should be aware of its limitations.
Signal Desktop app has fewer features than the mobile app. You can’t have encrypted voice or video calls in Signal Desktop, and you also can’t create or modify Signal groups — if you need to do these things, you have to do them on the mobile device. And while disappearing messages work fine, there’s no interface to delete individual messages from the desktop app.
Another Signal Desktop limitation is that there’s no way to assign names to Signal contacts from there; Signal relies on your phone’s contacts to translate phone numbers into names. So if you’d like to assign a name to a contact, you have to add them as a contact on the mobile device that you registered this Signal number with first.
Finally, messages that arrive to Signal Desktop, but not to the phone used to set up Signal Desktop, will accumulate on the server. Here’s why: When someone sends you a Signal message, their Signal app encrypts the message and sends it to the server. The server stores this encrypted message until it can be successfully delivered to your devices, and then the server deletes its copy after. But since your Signal account is associated with two devices, the mobile app and the desktop app, the server won’t delete its copy of the encrypted message until it successfully delivers the message to both devices. Therefore, it’s important to periodically power on your mobile device that you configured Signal on, even if you intend to primarily just use the desktop app.
Will Signal Ever Make This Simpler?
At the moment, you can only register a Signal account using a phone number, but a future version of Signal could support other identifiers as well, such as email addresses.
Just like with phone numbers, Signal could automatically verify email addresses. And like with phone numbers, people store email addresses in their phone’s contacts, so contact discovery could still be automatic. Unlike private phone numbers though, journalists and activists routinely publish their email addresses for strangers to contact them. And for those who wish to use Signal anonymously, like whistleblowers, it’s much simpler to obtain an anonymous email address than an anonymous phone number.
This feature has been widely requested by users, and the associated issue is still open on GitHub, where you can find Signal’s source code. But will Signal’s developers implement it? I asked, and they told me that they don’t comment on new features until they’ve shipped them.
If you have any feedback about this tutorial, please post it on the comments, or contact me on Signal at (415) 964-1601.
Contact the author:
Related
Latest Stories
The Feds Have Thousands of Stadium Lights on the Border. Switching Them On Would Devastate Desert Ecosystems.
The powerful lights mounted on the border wall threaten the dark skies that make southern Arizona a biodiversity hotspot.
Group of Global Leftist Leaders Warns “Soft Coup” Is Underway in Colombia
A prominent set of progressive leaders are coming to the defense of Colombia’s Gustavo Petro, whose administration is facing a cascading series of struggles.
Intercepted Podcast
Monetary Blowback: How U.S. Wars, Sanctions, and Hegemony Are Threatening the Dollar’s Reserve Currency Dominance
A growing number of countries are preparing to shift from using the U.S. dollar in trade, which could undermine the greenback’s global supremacy.